PetrWrap, a Petya-based ransomware, was used in targeted attacks

Threat actors in the wild have found the way to hijack the Petya ransomware on the fly and use it in targeted attacks, say welcome to PetrWrap ransomware.

The Petya ransomware was first spotted by experts at TrendMicro one year ago, it overwrites MBR to lock users out of the infected machines.

The Petya ransomware causes a blue screen of death (BSoD) by overwriting the MBR with malicious code that encrypts the drive’s master file table (MFT).

When the victim tries to reboot the PC, it will impossible to load the OS, even in Safe Mode. Users turning on the computer are displayed a flashing red and white screen with a skull-and-crossbones instead.

The Petya ransomware has a RaaS model, but the attackers developed a special module to patch the original Petya ransomware “on the fly.”

The attackers first compromised the networks of target organizations, then used the PsExec tool to install a ransomware on all endpoints and servers.

The variant of Petya group used in the attack was dubbed PetrWrap.

“The PetrWrap Trojan is written in C and compiled in MS Visual Studio. It carries a sample of the Petya ransomware v3 inside its data section and uses Petya to infect the victim’s machine.” reads the analysis published by Kaspersky. “What’s more, PetrWrap implements its own cryptographic routines and modifies the code of Petya in runtime to control its execution. This allows the criminals behind PetrWrap to hide the fact that they are using Petya during infection.”

The authors of the PetrWrap ransomware have devised a method to force Petya in using an encryption key that is different from the one that the original creators have hardcoded.

Using this mechanism, the attackers can decrypt the files in any time. The PetrWrap also removes all mentions of Petya from the ransom message, as well as its animation red skull designed in ASCII.

Why do hackers hijack the Petya ransomware?

First, because attackers don’t need to write a ransomware from scratch, second, because the version used by threat actors is stable and not affected by major flaws.

The bad news for the victims is that currently there isn’t a recovery tool to decrypt the MFT of hard disk volumes infected by Petya. The experts noticed anyway that because this specific ransomware doesn’t encrypt the file contents, it is possible to reconstruct the file from hard disk raw data by using specific recovery tools.

Summarizing, the PetrWrap ransomware achieves the following goals:

The victim’s machine is locked and the MFT of NTFS partitions is encrypted securely (because Petya v3 which is used in this attack doesn’t have flaws of the earlier versions and implements Salsa20 correctly);

The lockscreen doesn’t show the flashing skull animation and doesn’t contain any mentions of Petya which makes it harder to assess the situation and determine the extent of the caused damage;

The developers of PetrWrap didn’t have to write the low-level bootloader code and risk making mistakes similar to the ones observed in earlier versions of Petya.

Share On

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

This site uses cookies, including for analytics, personalization, and advertising purposes. For more information or to change your cookie settings, click here.

If you continue to browse this site without changing your cookie settings, you agree to this use.AcceptRead More

Privacy and Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.

Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.

Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.